Leading Fintech company builds a modern Authz and Authn platform

Industry

Technology

AWS Bitbucket Docker DocumentDB Gravitee APIM and AM Java 11 JOOQ JWT Liquibase Mysql OAuth 2.0 Spring Boot Spring Security Swagger Vertx,

Introduction

We started building the custom plugins as well worked on the User Management Service and the allied services to build the complete Authz and Authn platform

About Tide

Tide (Tide Platform Limited) is a UK financial technology company providing mobile-first banking services for small and medium-sized enterprises. It enables businesses to set up a current account and get instant access to various financial services (including automated bookkeeping and integrated invoicing).

At present, Tide offers a savings bank account, provided by RBL Bank which is regulated by the Reserve Bank of India (RBI). With over 1 in 20 small business owners in the UK banking with us, we’re ready to go global and empower entrepreneurs just like you.

Impact

State-of-the-Art Security and compliance infrastructure provided to customers.
Usage of the standard protocols (Oauth2.0, OpenId Connect, UMA 2.0, and open banking) to ensure interoperability with all enterprise tools.

The challenge

The current web access management (WAM) and single sign-on (SSO) that Tide have was rudimentary and for the growing needs of the enterprise where many new requirements have surfaced like: managing access to an enterprise’s web APIs, not just web apps, Multifactor Authentication, Biometrics, Integration with 3rd Party Partners and ever-evolving roles and scopes it was quite insufficient. The system for managing this type of access had several challenges:

Modifying or enabling the current WAM solution to provide API security would have been unfriendly to developers, complex, expensive, and likely proprietary. Mobile clients were struggling to deal with XML-based and SOAP-based security mechanisms. Enterprise IT struggled to deploy agents or proxies.
Since it was getting overly complex to centralize access authorization, we found too much authorization code in applications, which slows service delivery by forcing developers to redevelop authorization logic, as well as hindering effective auditing and policy administration.
We needed to support features that were not available with the current solution like Multifactor Authentication, Biometrics, dynamic scopes, etc.
Since Tide is a fintech it was of paramount importance to have the best security mechanisms available which were not possible with the current system.
The current solution was making a lot of simplifying assumptions about how users authenticate (typically username and password into a web app). But with new mobile applications to enable customers, and other device types, and with strong authentication needs increasing, old assumptions were no longer viable.
There was a need for different authentication and authorization journeys for the users based on their roles in the organization, their classification (internal or external users) as well as the kind of the applications like Marketplace vendor applications, internal web, and mobile applications, 3rd party apps and partner applications.
And the most important one was that we should rely on standard protocols to ensure interoperability with our enterprise tools.

Our approach

NashTech worked with Tide on the complete modernization of the legacy web-based access management system to provide a state-of-the-art AuthZ and AuthN platform for secure communication with the external as well as internal systems. We wanted to implement it faster, and the right way was to use an off-the-shelf system that could be customized according to the company’s needs. After much research, we finalized Garvitee APIM and Access Management solution as the requisite tooling to build the platform.

The solution

Since there was an urgency to implement the new Platform because of many new features and services being ready to be launched in new features, it was decided that the preference would be given to an off-the-shelf product rather than implementing a solution from the beginning. The major challenge in identifying the right product was that it should support customization to a level where it can support custom implementations relevant to the business. Gravitee is an upcoming solution that has an open-source as well as enterprise version. Gravitee offers both API Management and Access Management solutions and the great thing about Gravitee solutions is its extensibility where we are able to create our own plugins with our custom functionality and integrate it easily. The Gravitee API Management solution provides

Rich Open Source functionality
High flexibility and scalability
API, Access and Identity Management all in one place ability to build, manage and monitor intuitively and quickly

Similarly, the Access Management solution is also rich in features like

Access Security: Control and secure enterprise data with industry-standard protocols such as OpenID Connect OAuth 2.0 and JWT.
Multi-factor authentication – Enforce security and convenience by adding extra authentication factors.
Passwordless and WebAuthn – Secure your apps and APIs with industry best-practice security using biometrics, tokens, and further passwordless auth mechanisms.

NashTech started building the custom plugins as well worked on the User Management Service and the allied services to build the complete Authentication and Authorization Platform for Fintech.

The details of the major components that constituted the Platform have been described in the next section.

Architecture

This diagram shows all the key interactions between the APIM Gateway, AM Gateway, user clients, and associated services/infrastructure.

AM Gateway (Access Management Service)

The AM gateway is one of the core components of the Tide platform. The AM gateway is a unified service for access and identity management. The underlying core of the AM Gateway is based on a reverse proxy architecture. The API Gateway routes HTTP web traffic to protected applications enabling close inspection, transformation, and filtering of each request. For API requests, the AM Gateway can authenticate and authorize users and services connecting to the API gateway, ensuring protected applications that are secured by leveraging OAuth2 and OpenID.

API Management Service

APIM gateway provides the complete functionality of API Gateway and API Management, some of the key attributes are API deployments and routing and providing necessary proxy settings. The API gateway calls out to the AM Gateway for token introspection.

Custom plugins to enrich the tokens for the APIs

Service Plugins – Custom plugins are used to handle the incoming requests and process them through the Vertx event handler by invoking the relevant processor.
Policy Plugin – A custom plugin used to convert the front-end token to relevant backend tokens which are used to access the backend APIs.

User Management Service

A Spring Boot service for providing support for the management of users and their access to resources. This service accepts the backend tokens and, after verifying them, gives access to the requested API.

- This service deals with the various roles and permissions assigned to the user and acts accordingly.
- This service also interacts with the AM gateway APIs directly.

Document DB

Amazon DocumentDB is a scalable, highly durable, and fully managed database service for operating mission-critical MongoDB workloads.

Migration of Legacy Users

For migration of the Legacy user JIT (Just In Time) approach was used, which in simple words is to migrate the user when he is trying to access the new system. So with this implementation, when a user attempts to log into the application, the user is searched on the new platform and if it is found, then try to authenticate the user against the new user management system. If it’s successfully authenticated, let them in. Otherwise, reject their login because they have invalid credentials. If the user doesn’t exist, check if the user is in Legacy Mapping data and if it exists there, use the Legacy IDP provider to validate that the user, and if it is authenticated, then commission the user in the new Platform.

The outcome

The end result was a highly secured, performant, extensible, and scalable new Auth platform enabling Tide to go global and able to launch many new products tailored to multiple markets with zero or minimal effort for AuthN and AuthZ. Having initiated this project in spring 2020, we went live in only two months with 100% production traffic, just as new sign-ups were accelerating due to COVID-19. We were able to accelerate and offer rich multi-user access at the start of 2021, less than a year since the initial project started.

Some of the key benefits other than the above are given below.

Enhanced the customer experience with feature upgrades.
State of Art Security infrastructure provided to customers
200% increase in the number of users.
Biometrics and Multifactor Authentication fully supported.
Tailored and Multiple User Journey flows for various applications.
Minimum downtimes, increased resilience, and better service quality
Credential setup for users invited by the primary account holder
Login for those users on devices where they have credentials (including additional data capture on consent)
Login for those users on new devices
Enriching tokens at the API GW via token introspection
Authentication of all users of the Tide platform, including primary account holders.
A richer model of roles/permissions
Account-level access controls
Self-service credential management and user profile management
Setting up new users from scratch
New types of users like marketplace vendors and partner organizations.

“The flexible solution designed by the team enables secured communication between the various components saving a significant amount of time and money. This process has enabled us to become future-ready.”